Cisco ASAv - Configuring an ASAv from scratch (w/HA failover)

Let's assume for a moment, that you didn't customize the OVA deployment of ASAv to configure IP Addresses, etc and you just clicked next, next, etc on the wizard while deploying the OVA file and now you have a completely empty config.

Or just maybe you have a factory reset physical ASA you have connected to via a console.

Well, here is a guide on configuring an ASAv from scratch, including HA failover.

Note: This is a very basic config, you will need to tailor this for your own environment and apply appropriate security.

Setup ASAv from scratch and configured for failover with a second ASAv

Note: You can use this guide to set up a physical ASA as well, as its the same software!

Basic config:

en
conf t
hostname ASAv01-A
domain-name sanghera.me.uk
enable password cisco
username cisco password cisco priviledge 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL (Only If you want to use the ASDM)
crypto key generate rsa modulus 4096
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
exit

Configure management interface of the HA Pair:

conf t
int management0/0
management-only
nameif management
security-level 100
ip address 172.16.2.1 255.255.25.0 standby 172.16.2.2
no shutdown

http 172.16.0.0 255.255.0.0 management (Only for ASDM)
ssh 172.16.0.0 255.255.0.0 management
ssh version 2
exit

Configure the outside interface, using the next available IP from your Modem/ISP device:

conf t
int gi0/0
description Outside
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
no shutdown
exit

Configure the default route and access control list, bind it to the Outside interface (For internet access)

route outside 0.0.0.0 0.0.0.0 192.168.1.254
access-list allow_nat_in extended permit ip any 172.16.0.0 255.255.255.0
access-group allow_nat_in in interface outside
exit

Configure the inside interface:

conf t
int gi0/1
description Inside
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
no shutdown
exit

Configure the Dynamic Policy NAT for traffic to be NATed to the outside IP from your Inside network (for Internet traffic)

conf t
object network obj-any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
exit

Configure the DMZ interface

int gi0/2
Description DMZ
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
no shutdown
exit

Configure failover interface:

failover lan unit primary
int gi0/8
no shutdown
exit

Configure the failover IP Address and give the failover a name and a failover key:

failover lan interface fover GigabitEthernet0/8
INFO: Non-failover interface config is cleared on GigabitEthernet0/8 and its sub-interfaces
failover interface ip fover 172.16.3.1 255.255.255.0 standby 172.16.3.2
failover key secretkey
failover link fover
monitor external
monitor internal
exit
show failover
conf
failover
exit
show failover interface
show failover

Change the prompt to display failover state and priority of the ASA you are logged into:

conf t
prompt hostname state priority

On the second ASA, you only need to configure the Failover interface as the rest of the config will replicate once the failover comes up, so just change the following:

en
conf t
no failover
failover lan unit secondary
int gi0/8
no nameif
no shutdown
failover lan interface fover gi0/8

failover int ip fover 172.16.3.1 255.255.255.0 standby 172.16.3.2
failover key secretkey
failover link fover
failover (This command initiates failover and starts the replication once the interface is brought up)
exit
show run

int gi0/8
no shutdown
exit
show failover

Now you should see this:

Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

The config from the primary ASAshould have replicated to the secondary ASA.

Now set the hostname on the secondary ASA.

conf t

(You may get: "Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized". Just ignore this as you are just modifying the hostname to differentiate the two ASA's)

hostname ASAv01-B

You will now be able to identify which ASA you are logged on to and its state and priority in the failover just from the hostname.

On the primary firewall do the following to improve the failover time

conf t
failover poll 1 hol 3
failover poll interface 3
int gi0/8
failover poll interface 3
exit

On the primary firewall, do the following to improve the handling of http sessions during a failover

conf t
failover replication http
exit

show run
write mem

comments powered by Disqus